Financial Privacy & Security In the News

PHILADELPHIA—Legislation signed Dec. 22 by Pennsylvania Gov. Edward G. Rendell (D) (S.B. 712) requires owners of computerized data to notify consumers of data security breaches that may compromise the privacy of their personal information.

The Breach of Personal Information Notification Act requires businesses and government agencies that maintain, store, or manage personal information on computers to notify Pennsylvania residents "without unreasonable delay" of any unauthorized access to their personal information if data security systems are breached.

A breach is defined as the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information that is maintained as part of a database.

Personal information under the bill includes a person's first name or initial and last name linked to his or her unencrypted Social Security number, driver's license or alternate state-issued identification number, or a financial account number with access code.

The bill, which is effective 180 days after enactment and applies to data security breaches that occur on or after that date, "will provide a strong line of defense in the event personal information is stolen," the governor said in a statement.

Risk of Harm Threshold Questioned

But consumer advocates say the bill has little value to consumers because the notification requirement only applies if the business or government entity "reasonably believes" the data security breach "has caused or will cause loss or injury" to any Pennsylvania resident.

The bill puts the decision about whether or not to notify consumers of a security breach in the hands of the compromised business, which may decide if the immediate economic and public relations costs of notifying its customers outweigh any risks it might face for failing to disclose a security breach, Jim Swoyer, public interest advocate for Pennsylvania Public Interest Research Group, told BNA.

By reducing the likelihood that companies will face the embarrassment and cost of issuing a broad consumer notice, the weak and vague notification trigger in the bill will be a disincentive for them to invest in data security upgrades, Swoyer said. It also makes it less likely that consumers will find out about unauthorized access to their personal information in time to block or at least minimize its misuse, he said.

Of the 22 other states that had enacted data security breach notification legislation by the end of 2005, at least 10 have stronger measures that do not give businesses broad discretion to decide if notice is necessary, according to Swoyer. Those states are California, Illinois, Minnesota, New Jersey, Nevada, New York, North Dakota, Rhode Island, Tennessee, and Texas.

Many of those states also apply their more stringent notification standards to financial institutions, Swoyer said, while the Pennsylvania bill allows financial institutions to comply with federal regulators' notification requirements, which also include a risk threshold provision.

Notification Provisions

The Pennsylvania bill requires consumers to be notified of a data security breach in writing, by telephone, or e-mail, but allows for substitute notice by a combination of e-mail, Internet posting, and statewide mass media notification if more than 175,000 people are affected or the cost of the notice will exceed $100,000.

National consumer reporting agencies also must be notified of the timing, distribution, and number of notices when a data security breach notification involves more than 1,000 people at one time.

Notification may be delayed at the written request of a law enforcement agency that determines the notification will impede a civil or criminal investigation.

Vendors have to provide notice of a data security breach only to the entity on whose behalf they are handling the data, which in turn would be responsible for complying with all the requirements of the notification law.

The attorney general is given the exclusive authority to bring a civil action under the state Unfair Trade Practices and Consumer Protection Law for violations.

Safe harbor from the law is provided for any covered entity with an information security policy that includes notification procedures consistent with those in the bill, as long as it follows those procedures in the event of a breach.

Full text of Pennsylvania S.B. 712, the Breach of Personal Information Notification Act, as passed by the legislature, is available at http://www2.legis.state.pa.us/WU01/LI/BI/BT/2005/0/SB0712P1410.pdfhttp://www.pirg.org/consumer/credit/statelaws.htm#considerb. . Links to the 23 state security breach notification laws enacted to date are on the Public Interest Research Group Web site at

By Lorraine McCarthy